Security News New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

[LASER_oneXM]

some quotes from the article above:

A new technique named DoubleAgent, discovered by security researchers from Cybellum, allows an attacker to hijack security products and make them take malicious actions.

The DoubleAgent attack was uncovered after Cybellum researchers found a way to exploit Microsoft's Application Verifier mechanism to load malicious code inside other applications.

DoubleAgent attack leverages Microsoft's Application Verifier

The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check. Cybellum researchers discovered that developers could load their own "verifier DLL" instead of the one provided by the official Microsoft Application Verifier.
Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process.

Several antivirus makers affected

Cybellum researchers say that most of today's security products are susceptible to DoubleAgent attacks. The list of affected products includes:

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Comodo
ESET
F-Secure
Kaspersky
Malwarebytes
McAfee
Panda
Quick Heal
Norton

DoubleAgent morphs security products into malware

The DoubleAgent attack is extremely dangerous, as it hijacks the security product, effectively disabling it. Depending on an attacker's skill level, he could use the DoubleAgent flaw to load malicious code that:

• Turns the security product off
• Makes the security product blind to certain malware/attacks
• Uses the security product as a proxy to launch attacks on the local computer/network
• Elevates the user privilege level of all malicious code (security products typically run with the highest privileges)
• Use the security product to hide malicious traffic or exfiltrate data
• Damage the OS or the computer
• Cause a Denial of Service

By design, the DoubleAgent attack is both a code injection technique and a persistence mechanism, as it allows an attacker to re-inject the malicious DLL inside a targeted process after each boot, thanks to the registry key.

 

[DJ Panda]

I'm curious of a couple things.
1. How results on detection for this file in the Malware Hub.
2. See images of other infected AVs besides Norton. (The malware UIs injected into Malwarebytes, Avast, ect.

Thanks for the share!

 

[_CyberGhosT_]

I know that list may not be 100% inclusive, but not seeing EmsiSoft or HitmanPro.Alert
on that list does feel a little comforting.
Great share Laser !

 

[WinXPert]

I wonder if the attack can be 100% successful on a password protected AV?

 

[Huchim]

Just my guess but I think that vulnerabilities of antivirus (mainly big names) are becoming more frequent. AV is not enough and is becoming useless

 

[509322]

I'm curious of a couple things.
1. How results on detection for this file in the Malware Hub.

It's a Proof-of-Concept (PoC) - it isn't in the wild - so there is no malware to collect, submit\scan for detection, or test against security softs mentioned.

Besides, if I recall correctly, AppVerif.exe is digitally signed by Microsoft... and no AV is going to detect a legit Microsoft programming troubleshooting utility.

 

[509322]

some quotes from the article above:

"The tool ships with all Windows versions..."

This is incorrect.

Search on your system for AppVerif.exe. If you find it, then its on your system. Even if it is not on your system, malware can still provide a legit working copy of AppVerif.exe itself.

 

[509322]

Just my guess but I think that vulnerabilities of antivirus (mainly big names) are becoming more frequent. AV is not enough and is becoming useless

Default-deny\system lockdown is the answer

 

[Huchim]

That's one of my goals this year and I'm only with appguard lockdown mode and windows defender disabled , awesome difference than traditional AV.

 

[HarborFront]

Does that means Qihoo, Emsisoft etc are not affected? There's no mention that they were affected by the CIA hack (see below)

The full list of security products included in the WikiLeaks Vault 7 dump are as follows:

Comodo
Avast
F-Secure
Zemana Antilogger
Zone Alarm
Trend Micro
Symantec
Rising
Panda Security
Norton
Malwarebytes Anti-Malware
EMET (Enhanced Mitigation Experience Toolkit)
Microsoft Security Essentials
McAfee
Kaspersky
GDATA
ESET
ClamAV
Bitdefender
Avira
AVG

 

[509322]

That's one of my goals this year and I'm only with appguard lockdown mode and windows defender disabled , awesome difference than traditional AV.

Enable Windows Defender or use your AV of choice.

Disabling Windows Defender is not recommended.

We don't recommend abandoning antivirus and firewall, but at the same time that doesn't mean you need to install a 1 GB internet suite.

At home, behind a NAT router you really do not need anything other than Windows Firewall to cover your firewall needs.

Enable Windows Defender and use Windows Firewall Control (Secure Rules).

 

[Solarquest]

 

[larry goes to church]

Does that means Qihoo, Emsisoft etc are not affected? There's no mention that they were affected by the CIA hack (see below)

The full list of security products included in the WikiLeaks Vault 7 dump are as follows:

Comodo
Avast
F-Secure
Zemana Antilogger
Zone Alarm
Trend Micro
Symantec
Rising
Panda Security
Norton
Malwarebytes Anti-Malware
EMET (Enhanced Mitigation Experience Toolkit)
Microsoft Security Essentials
McAfee
Kaspersky
GDATA
ESET
ClamAV
Bitdefender
Avira
AVG

The CIA pretty much owned most majo AVs by the looks of it ahaha

 

[enaph]

Just my guess but I think that vulnerabilities of antivirus (mainly big names) are becoming more frequent. AV is not enough and is becoming useless

I would say more. AV's are becoming obsolete with tools like VodooShield or AppGuard and the only problem is that the majority of the people cannot understand how those tools are working and they completely rely on AV's and disable their common sense. Our mission is to educate people around us and show them alternatives for highly overrated security suites.
Default-deny and good browsing habits are the best security combo.

 

[Winter Soldier]

That's one of my goals this year and I'm only with appguard lockdown mode and windows defender disabled , awesome difference than traditional AV.

About the signatures we have already written rivers of words.
Behavior blocker can sometimes prove to be unable to counteract some of the new malware that regularly appear. Let's take an example: suppose that a X vendor has developed a behavior blocker can detect 100% of the current malware in circulation. What would be the reaction of the malcoders in the circumstances? For sure they would invent a method completely different to be able to infect the computer victim, invisible to this BB. At this point, this BB would need to see urgent updates for its rules for the recognition of behaviors.
But malwriters can constantly find new ways to circumvent the protective action of the new updates. In the end, inevitably, and probably we will see the same situation as the signatures scanning; in fact, the signatures of the malware may be in the form of “behaviours”, instead of “code fragments”.
Default Deny/Lockdown Mode would be a more manageable condition.

 

[BugCode]

"Shortly"; it is a endless war! But "they" found sooner or later vulnerabilities when you power on your PC (if they want). As guru's has already saying, there's no 100% bulletproof security. But you can reduce the risk like default deny lockdown / CF (cs-settings) etc. And last but not least common sense & safe habits!. Well as all the thing in the world, they who have more money have more power! It's a cruel world. But there are always people behind the "curtain" who wanna play a game & that game is endless!

 

[Solarquest]

About the signatures we have already written rivers of words.
Behavior blocker can sometimes prove to be unable to counteract some of the new malware that regularly appear. Let's take an example: suppose that a X vendor has developed a behavior blocker can detect 100% of the current malware in circulation. What would be the reaction of the malcoders in the circumstances? For sure they would invent a method completely different to be able to infect the computer victim, invisible to this BB. At this point, this BB would need to see urgent updates for its rules for the recognition of behaviors.
But malwriters can constantly find new ways to circumvent the protective action of the new updates. In the end, inevitably, and probably we will see the same situation as the signatures scanning; in fact, the signatures of the malware may be in the form of “behaviours”, instead of “code fragments”.
Default Deny/Lockdown Mode would be a more manageable condition.

I think we need all 3:
- common sense and more security awareness, information
- Default Deny/Lockdown Mode
-BB: the more they improve the less ways will be available to hide from them/more difficult it will be to bypass them.

 

[Fel Grossi]

Discussions in Comodo forum..

Hi Guys,
It's Michael from Cybellum here.
First of all I would like to give a lot of credit to Comodo as it was one of the most challenging antiviruses to attack with DoubleAgent.
Comodo implemented a very interesting feature called CIS Protected Registry Keys which in fact was supposed to block DoubleAgent-like attacks.

We struggled at the beginning and indeed Comodo managed to block most attempts to attack it via DoubleAgent.
It was tricky, but eventually we succeeded, and Comodo is vulnerable to DoubleAgent just like all the other antiviruses.

I took the time and effort to upload a POC video showing DoubleAgent successfully attacking Comodo
This video was done a few minutes ago, so it obviously affects the latest version of Comodo.

The Comodo attack is the only one that doesn't use our publicly available POC code, but rather a different private code.
We decided not to share the private code in order to protect Comodo users, but Egemen (from Comodo) have received it and is aware of it.
Egemen has done a great work communicating with us, and hopefully a new patch would be released soon to close Comodo's vulnerability to DoubleAgent.

Michael Engstler
Co-Founder & CTO, Cybellum

Answers from egemen (Comodo engineer)

Correct. The PoC we have is a new COMODO specific issue which can allow attacker to do a few things with default configuration. Default config needs to be slightly changed. See below for configuration changes to cover this PoC as well.

 

[Solarquest]

Discussions in Comodo forum..




Answers from egemen (Comodo engineer)

@Felipe Oliveira, Thank you for sharing, very interesting!
I was curious what changes when suggested...
Found the thread

New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software - General Discussion (off topic) Anything and everything... | Page 2

 

[Kalimirro]

This thing works like a cancer cell !